OrganisationCN

Flax Typhoon

China-state cyber actor operating Raptor Train botnet to compromise global critical infrastructure.

Last refreshed: 30 April 2026

Key Question

Can Western defenders ever get ahead of an actor whose infrastructure refreshes faster than IOC lists?

Timeline for Flax Typhoon

#223 Apr

Mentioned in: Norway joins the Salt Typhoon victim list

Cybersecurity: Threats and Defences

#223 Apr

Sixteen agencies put IOC extinction in print

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is Flax Typhoon and who does it target?: Flax Typhoon is a China-state cyber espionage group active since at least 2021. It targets government agencies, defence contractors, telecoms, energy, and healthcare sectors, primarily in Taiwan, Southeast Asia, and the United States. It operates through Integrity Technology Group, which managed the 200,000-device Raptor Train botnet as its covert relay network.Source: NCSC 16-agency joint advisory, April 2026
How does Flax Typhoon avoid detection?: Flax Typhoon routes its traffic through a botnet of compromised end-of-life SOHO routers, cameras, and firewalls called Raptor Train. Because these devices cannot be patched and are cycled quickly, indicators of compromise disappear almost as fast as defenders publish them — a pattern the 16-agency advisory called 'IOC extinction'. This makes blocklists structurally insufficient against this actor.Source: NCSC 16-agency joint advisory, April 2026
What is the connection between Flax Typhoon and Integrity Technology Group?: The FBI assessed that Integrity Technology Group, a Beijing-based cybersecurity company sanctioned by OFAC in December 2025, created and operated the infrastructure Flax Typhoon used for its intrusion activities, including managing the Raptor Train botnet. The 16-agency April 2026 advisory made this connection public for the first time at the institutional level.Source: FBI / NCSC joint advisory
When was Flax Typhoon first publicly disclosed?: Flax Typhoon was first publicly named by Microsoft in 2023. Western intelligence agencies tracked the actor from at least 2021. The most significant public attribution came in the 16-agency joint advisory of 23 April 2026, which named Integrity Technology Group as its infrastructure operator.Source: Microsoft / NCSC

Background

Flax Typhoon is a China-nexus state-aligned cyber espionage actor that has been tracked by Western intelligence services since at least 2021. The group targets government agencies, defence contractors, telecoms providers, and universities primarily in Taiwan, Southeast Asia, and the United States. Flax Typhoon's tradecraft blends legitimate remote-access tooling (VPNs, legitimate Windows utilities) with low-footprint persistence techniques designed to survive endpoint detection. Its operational pattern prioritises long-term access and intelligence collection over destructive payloads, consistent with PRC strategic intelligence priorities rather than sabotage.

Flax Typhoon is assessed by the FBI to have used Integrity Technology Group, a Beijing-based company sanctioned by OFAC in December 2025, as its primary infrastructure provider and operator. Through Integrity Technology Group, Flax Typhoon managed the Raptor Train botnet, a network of 200,000+ compromised SOHO routers, NAS devices, cameras, and firewalls first mapped publicly in 2024. Raptor Train served as the covert relay network that masked Flax Typhoon's operational traffic behind a distributed layer of infected edge devices, making attribution and blocking significantly harder for defenders.

A 16-agency joint advisory signed on 23 April 2026 formally named Flax Typhoon as the actor behind China-nexus covert networks targeting critical national infrastructure including energy, healthcare, transport, digital infrastructure, and government sectors. The advisory is the most comprehensive public attribution of Flax Typhoon to date, connecting the actor directly to Integrity Technology Group and Raptor Train with the institutional weight of agencies including NCSC, CISA, NSA, FBI, the Australian Signals Directorate, and their German, Dutch, Japanese, New Zealand, Spanish, and Swedish counterparts.

The advisory explicitly flagged IOC extinction as the defining defensive challenge posed by Flax Typhoon's infrastructure model: indicators of compromise disappear as fast as defenders publish them because the botnet cycles through infected end-of-life devices that cannot be patched and are quickly replaced. For UK and allied network defenders, this makes blocklist-based defences structurally insufficient against this actor, and the advisory recommendations pivot towards edge-device traffic baselining and dynamic threat-feed filtering instead.

Source Material

Defending against China-nexus covert networks of compromised devices

How the World Sees Them

CISA

CISA co-signed the April 2026 advisory, warning that Flax Typhoon's IOC-extinction model makes traditional blocklist defences insufficient and recommending edge-device traffic baselining as the primary countermeasure.

NCSC

NCSC co-led the 16-agency advisory, formally attributing Flax Typhoon to the PRC state and naming Integrity Technology Group as the infrastructure operator — the sharpest public UK attribution of this actor to date.

China

Beijing does not acknowledge Flax Typhoon or Integrity Technology Group's role in state-directed cyber operations. Official statements characterise foreign attribution as politically motivated fabrication.

Mandiant

Mandiant tracks Flax Typhoon as an active China-nexus espionage cluster with a persistent focus on government, defence, and telecoms targets across the Indo-Pacific and North America.